Parametrize the AWS ARN for S3 bucket policies (#39)

This change allows a user to override the AWS ARN (which to defaults to the most common use case of "arn:aws") in order to allow one to use this module in the AWS GovCloud/China regions. This can be done by setting the value of the arn_format variable to "arn:aws-us-gov"/"arn:aws-cn" respectively.
cloudposse · Mar 26, 2020 · 7a0f82a · 7a0f82a
1 parent 9487b8d
commit 7a0f82a
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -160,6 +160,7 @@ Available targets:
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply to the S3 bucket | string | `private` | no |
 | additional_tag_map | Additional tags for appending to each tag map | map(string) | `<map>` | no |
+| arn_format | ARN format to be used. May be changed to support deployment in GovCloud/China regions. | string | `arn:aws` | no |
 | attributes | Additional attributes (e.g. `state`) | list(string) | `<list>` | no |
 | billing_mode | DynamoDB billing mode | string | `PROVISIONED` | no |
 | block_public_acls | Whether Amazon S3 should block public ACLs for this bucket | bool | `true` | no |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -4,6 +4,7 @@
 |------|-------------|:----:|:-----:|:-----:|
 | acl | The canned ACL to apply to the S3 bucket | string | `private` | no |
 | additional_tag_map | Additional tags for appending to each tag map | map(string) | `<map>` | no |
+| arn_format | ARN format to be used. May be changed to support deployment in GovCloud/China regions. | string | `arn:aws` | no |
 | attributes | Additional attributes (e.g. `state`) | list(string) | `<list>` | no |
 | billing_mode | DynamoDB billing mode | string | `PROVISIONED` | no |
 | block_public_acls | Whether Amazon S3 should block public ACLs for this bucket | bool | `true` | no |

diff --git a/main.tf b/main.tf
@@ -55,7 +55,7 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
     ]
 
     resources = [
-      "arn:aws:s3:::${local.bucket_name}/*",
+      "${var.arn_format}:s3:::${local.bucket_name}/*",
     ]
 
     condition {
@@ -83,7 +83,7 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
     ]
 
     resources = [
-      "arn:aws:s3:::${local.bucket_name}/*",
+      "${var.arn_format}:s3:::${local.bucket_name}/*",
     ]
 
     condition {

diff --git a/variables.tf b/variables.tf
@@ -87,6 +87,12 @@ variable "region" {
   description = "AWS Region the S3 bucket should reside in"
 }
 
+variable "arn_format" {
+  type        = string
+  default     = "arn:aws"
+  description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions."
+}
+
 variable "acl" {
   type        = string
   description = "The canned ACL to apply to the S3 bucket"